{"id":7455,"date":"2026-05-17T17:18:18","date_gmt":"2026-05-17T17:18:18","guid":{"rendered":"https:\/\/delimiter.online\/blog\/nginx-cve-2026-42945-exploited\/"},"modified":"2026-05-17T17:18:18","modified_gmt":"2026-05-17T17:18:18","slug":"nginx-cve-2026-42945-exploited","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/nginx-cve-2026-42945-exploited\/","title":{"rendered":"Critical NGINX Flaw Exploited in Attacks After Disclosure"},"content":{"rendered":"

A newly disclosed security vulnerability<\/a> affecting widely used NGINX<\/a> software is now being actively exploited in the wild, just days after its public release, according to threat intelligence firm VulnCheck.<\/p>\n

The flaw, tracked as CVE-2026-42945<\/a> and carrying a CVSS severity score of 9.2, is a heap buffer overflow<\/a> found in the ngx_http_rewrite_module. It affects NGINX Plus and NGINX Open Source versions 0.6.27 through 1.30.0.<\/p>\n

Nature of the Vulnerability<\/h2>\n

Security researchers from the AI-native security company depthfirst first identified the issue. The vulnerability allows an attacker to trigger a worker process crash by sending a specially crafted request. In more severe scenarios, successful exploitation could lead to remote code execution<\/a> (RCE), giving an attacker control over the affected system.<\/p>\n

A heap buffer overflow occurs when a program writes more data to a block of memory, or buffer, than it was allocated. This overflow can corrupt adjacent data, leading to crashes or allowing an attacker to inject and execute malicious code.<\/p>\n

Active Exploitation Confirmed<\/h2>\n

VulnCheck reported that exploit activity has been observed in public attack traffic since the details of the vulnerability were made available. The rapid transition from disclosure to exploitation highlights a significant risk for organizations that have not yet applied patches.<\/p>\n

The NGINX rewrite module is commonly used to manipulate request URIs. It is a standard component in many server configurations, making the potential attack surface broad. Internet scanning data suggests that a large number of unpatched servers remain exposed online.<\/p>\n

Impact on Organizations<\/h4>\n

For users of NGINX Open Source, the vulnerability can lead to denial of service conditions through repeated worker crashes. For users of NGINX Plus, which is often deployed in critical production environments, the risk of remote code execution poses a more direct threat to data integrity and system security.<\/p>\n

Organizations using affected versions are advised to prioritize patching as soon as possible. The exploit code does not require advanced authentication, which lowers the barrier for attackers.<\/p>\n

Mitigation and Next Steps<\/h2>\n

F5, the company behind NGINX, has released patches for the affected versions. Administrators should upgrade to NGINX Open Source version 1.31.0 or later, or apply the corresponding security update for NGINX Plus.<\/p>\n

For environments where immediate patching is not feasible, security teams can implement temporary mitigations. These include restricting access to the rewrite module through configuration changes, deploying web application firewall rules to filter malicious requests, and monitoring for unusual worker process crashes or restarts.<\/p>\n

The disclosure of CVE-2026-42945 follows a pattern seen with other critical infrastructure software flaws, where proof-of-concept code appears shortly after public release. Security monitoring firms expect scanning activity to increase as more automated exploit tools incorporate the vulnerability.<\/p>\n

Administrators should verify their NGINX version immediately and check for signs of compromise, such as unexpected system behavior or unauthorized access logs. Further advisories from F5 are expected as additional analysis of the flaw becomes available.<\/p>\n

Source: Delimiter<\/p>\n","protected":false},"excerpt":{"rendered":"

A newly disclosed security vulnerability affecting widely used NGINX software is now being actively exploited in the wild, just days after its public release, according to threat intelligence firm VulnCheck. The flaw, tracked as CVE-2026-42945 and carrying a CVSS severity score of 9.2, is a heap buffer overflow found in the ngx_http_rewrite_module. It affects NGINX […]<\/p>\n","protected":false},"author":1,"featured_media":7456,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[8762,8763,1482,953,6975],"class_list":["post-7455","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cve-2026-42945","tag-heap-buffer-overflow","tag-nginx","tag-remote-code-execution","tag-security-vulnerability"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/7455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=7455"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/7455\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/7456"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=7455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=7455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=7455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}